Posted by
munimnal(sys admin)
on Nov 4 at 12:14 AM
i want to bind each ip address with hardware address of the system...so that
if the person chagnes the ip address, he will be block from the network. is
there any idea...without DHCP.

Hi, Munim, you can do this on a manageable switch, log into the access switch that you want to implement port security, switch to global configuration mode, then interface configuration mode, use command 'switchport port-security mac-address'

hi GalaxyJoshuaWu
but that port security thing is not related to ip to mac conversion sir...in that case even if you change ip add of the same system no problem occurs...that is useful when two different systems are using the same ip add and connected to same port at different time..
please reply

hi Hritesh yadav
Of course, first, we need to configure the IP-to-Mac binding on a DHCP server system, this will make sure that each specific gets its pre-allocated IP address. Then, configure port security on a switch. Later, if that user ever trys to change the physical address (mac address of network card) of his/her machine, he/she will be locked from the network. This applys a layer 2 security.
Yes, if that user trys to use ip add command, surely, he/she can change the ip address of its system, then, an ACL list would help (you need a layer 3 switch to do a per-port based ACL). If he/she ever trys to change the ip address configuration of its system, it will be blocked.This applys a layer 3 security.
Without a DHCP server system, it would be a tough work to do a IP-to-mac binding work.

Hi...
My intention is that there will be a database of IP address with
corresponind MAC address if someone changes his/her ip address, it should
verify the ip address with that database before allowing it to access the
internet.for which i can enable port security at proxy server for the port
3128(say).can u please tell me how i can do the same?.
please reply
>
>
> hi GalaxyJoshuaWu
> but that port security thing is not related to ip to mac conversion
> sir...in that case even if you change ip add of the same system no problem
> occurs...that is useful when two different systems are using the same ip
> add and connected to same port at different time..
> please reply
>
>

hi GalaxyJoshuaWu
can you please tell me how to implement ACL s in L3 switch.my switch is
CISCO 3750.do u have any documentation for that purpose...please reply
Munim
>
>
> hi GalaxyJoshuaWu
> first of all thanks a lot for your response...
> could you please tell me how to configure the ip to Mac binding on DHCP
> server system??
> thanks once again
>
>

to configure ACL (access control list), first you need to move into the global configuration mode.
you can choose to configure a named ACL or a number ACL (if your IOS newer than 12.3, there is no difference between them, it just a different method to achieve the same goal), a standard ACL or an extend ACL (type of ACL, this defines what can be filtered in ACL).
e.g.
1. numbered extend acl: access-list 101 permit ip 192.168.0.1 0.0.0.0 any
2. named extend acl: ip access-list extend 101
(sub ACL mode): permit ip 192.168.0.1 0.0.0.0 any
After you had the ACL defined, then you need to apply it to a physical port or virtual port
enter interface subcommand mode: issue ip addccc-group 101
If there is ACL configured on your router or switch, you can execute sh run, which will list all the ACL that have been configured on your device.
The cisco learning course is a good material to learn network technology. It's all over internet, just search CCNA learning material

hi Jasua,
thanks for nice reply. can i allow/deny ip address with MAC address. like
"access-list 101 allow IP address MAC address". so that if the person
change the IP address/MAC he can't get access. please reply.
munim
>
>
> to configure ACL (access control list), first you need to move into the
> global configuration mode.
> you can choose to configure a named ACL or a number ACL (if your IOS newer
> than 12.3, there is no difference between them, it just a different method
> to achieve the same goal), a standard ACL or an extend ACL (type of ACL,
> this defines what can be filtered in ACL).
> e.g.
> 1. numbered extend acl: access-list 101 permit ip 192.168.0.1 0.0.0.0
> any
> 2. named extend acl: ip access-list extend 101
> (sub ACL mode): permit ip 192.168.0.1 0.0.0.0 any
> After you had the ACL defined, then you need to apply it to a physical
> port or virtual port
> enter interface subcommand mode: issue ip addccc-group 101
> If there is ACL configured on your router or switch, you can execute sh
> run, which will list all the ACL that have been configured on your device.
> The cisco learning course is a good material to learn network technology.
> It's all over internet, just search CCNA learning material
>
>
>